Digital Forensic Software or Equipment Proposal

pls see attachment for details

Assignment: Digital Forensic Software or Equipment Proposal

Assignment: Digital Forensic Software or Equipment Proposal

Learning Objectives and Outcomes

·

Select forensics software and/or equipment.

Assignment Requirements 
You are a new employee of DigiFirm Investigation Company. As part of your company orientation, you are being exposed to each area of the computer forensics investigations firm.

DigiFirm is preparing to set up a new on-site forensics laboratory facility. Kim Blake, the laboratory manager, has asked you to select three examples of software or a state-of-the-art piece of equipment that could be acquired and used in your organization’s new lab.

Your supervisor mentioned to Kim that you could use some indoctrination to the DigiFirm technical capabilities, and what better way than to have you jump right in and help the company plan the new lab. You will help make some important decisions regarding investment in equipment and/or software.

For this assignment:

1. Search the Internet for information about forensic lab tools and equipment.

2. Choose three examples of software or state-of-the-art equipment that would benefit the lab.

3. Write a proposal that covers:

·

. Your three choices.

. The reasons for choosing them.

. The benefits and limitations (if any) of each choice.

Required Resources

· Course textbook

· Internet

Submission Requirements
Format:	Microsoft Word
Font:	Arial, Size 12, Double-Space
Citation Style:	Your school’s preferred style guide
Length:	1-2 pages

Self-Assessment Checklist

· I researched three pieces of software or equipment that could be acquired and used in the organization’s new forensics lab.

· I described my reasons for choosing them.

· I described the benefits and limitations (if any) of each choice.

System Forensics, Investigation, and Response

Lesson 3

Forensics Methods and Labs

© 20

1

9 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Page ‹#›

System Forensics, Investigation, and Response

© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com
All rights reserved.
1

Learning Objective

Describe digital forensic methodology and labs.

Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Key Concepts
Forensic lab set-up
Methodologies and approaches used in forensic investigations
Evidence-handling tasks
Common forensic software programs
Documentation of methodologies and findings

Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Forensic Investigation Methodologies

Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
There are some general principles that apply to all investigations.
Handle original data as little as possible.
Information should be copied prior to examination. There are two reasons it is important to not touch the actual evidence any more than is absolutely necessary. First, each time the information is touched, there is a chance it may be altered. Another reason is that another investigator may need to examine the original evidence.
Comply with the rules of evidence.
Rules of evidence govern whether, when, how, and why proof of a legal case can be placed before a judge or jury. A forensic specialist must keep in mind general rules of evidence (such as the chain of custody and the Daubert standard) as well as be aware of the rules particular to the individual jurisdiction.
Avoid exceeding one’s knowledge.
Overextending beyond one’s knowledge or skills is likely to come out at trial. It is a good idea to adopt this standard: Never testify or write an expert report unless you are very sure of your expertise in the relevant technologies, and very comfortable with the conclusions you are presenting.
Create an analysis plan.
An analysis plan guides your work. The plan should address how you will gather evidence, concerns about evidence being changed or destroyed, the tools appropriate to the type investigation, etc. In addition, the plan should include an order of volatility, so that the most volatile evidence is collected prior to less volatile evidence.
7/2/2017
4

Handle original data as little as possible

Comply with the rules of evidence

Avoid exceeding one’s knowledge

Create an analysis plan

Technical Information Collection Considerations
Consider the life span of the information
Data is volatile
Collect information quickly
Collect bit-level information

Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Life span: How long information is valid. More volatile information tends to have a shorter life span.
Bit-level: Bit level is information at the level of actual 1s and 0s stored in memory or on the storage device, as opposed to going through the file system’s interpretation.
7/2/2017
5

Formal Forensic Approaches

Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
U.S. Department of Defense (DoD) forensic standards
The U.S. Department of Defense (DoD) coordinates and supervises agencies and functions of the government related to national security and the U.S. armed forces. The DoD Cyber Crime Center (DC3) sets standards for digital evidence processing, analysis, and diagnostics. It is involved with DoD investigations that require computer forensics support to detect, enhance, or recover digital media. DC3 is also involved in criminal law enforcement forensics and counterintelligence. In addition, DC3 provides computer investigation training for forensic examiners, investigators, system administrators, and others.
 
The Digital Forensic Research Workshop (DFRWS) framework
The DFRWS is a non-profit, volunteer organization with a goal of enhancing the sharing of knowledge and ideas about digital forensic research. The DFRWS digital investigation framework is a matrix with six classes:
Identification
Preservation
Collection
Examination
Analysis
Presentation
 
Scientific Working Group on Digital Evidence (SWGDE) framework
The Scientific Working Group on Digital Evidence (SWGDE) promotes a framework process that includes four stages:
Collect
Preserve
Examine
Transfer
That final step means any sort of transfer. This includes moving evidence from the lab to a court, or even returning evidence when no longer needed.
An event-based digital forensic investigation framework
Two researchers at the Center for Education and Research in Information Assurance and Security (CERIAS) at Purdue University proposed a model that is more intuitive and flexible than the DFRWS framework. This model has five primary phases:
Readiness
Deployment
Physical Crime Scene Investigation
Digital Crime Scene Investigation
Presentation

DoD Cyber Crime Center (DC3) forensic standards

The Digital Forensic Research Workshop (DFRWS) framework

Event-based digital forensic investigation framework

Scientific Working Group on Digital Evidence (SWGDE) framework

Documentation
Strong evidence-processing documentation
Good chain-of-custody procedures
A systems forensics specialist should have a good understanding of:
Computer hard disks and CDs, and know how to find hidden data in obscure places
The techniques and automated tools used to capture and evaluate file slack or slack space

Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Without proper documentation, a forensic specialist has difficulty presenting findings and courts are unlikely to accept investigative results. This methodology includes strong evidence-processing documentation and good chain-of-custody procedures.
 
A systems forensics specialist should have a good understanding of:
Computer hard disks and CDs, and know how to find hidden data in obscure places.
The techniques and automated tools used to capture and evaluate file slack or slack space.
7/2/2017
7

File Slack Searching
If you write a 1-kilobyte (KB) file to a disk that has a cluster size of 4 KB, the last 3 KB of the cluster are wasted
This unused space between the logical end of file and the physical end of file is known as file slack or slack space
File slack is a source of potential security leaks involving passwords, network logons, email, database entries, images, and word processing documents

Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Hard disk or CD segmented into clusters of a particular size
Each cluster holds a single file or part of a file
If you write a 1-kilobyte (KB) file to a disk that has a cluster size of 4 KB, the last 3 KB of the cluster are wasted.
This unused space between the logical end of file and the physical end of file is known as file slack or slack space.
Most computer users have no idea that they’re creating slack space as they use a computer.
In addition, pieces of a file may remain even after you delete it.
Residual information in file slack is not necessarily overwritten when you create a new file.
File slack is therefore a source of potential security leaks involving passwords, network logons, email, database
entries, images, and word processing documents.
7/2/2017
8

Evidence-Handling Tasks

Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Find

Gather evidence

Preserve

Handle computers and storage media with caution

Prepare

Document evidence source and ensure evidence has not changed

Evidence-Gathering Measures

Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Forensic specialists should take the following measures when gathering evidence:
Avoid changing the evidence—Forensic specialists should:
Photograph equipment in place before removing it
Label wires and sockets so computers and peripherals can be reassembled in a laboratory exactly as they were in the original location
Transport computers, peripherals, and media carefully to avoid heat damage or jostling
Avoid touching original computer hard disks and CDs
Make exact bit-by-bit copies and store the copies on a medium that cannot be altered, such as a CD-ROM
Determine when evidence was created—Forensic specialists should not trust a computer’s internal clock or activity logs. Before logs disappear, an investigator should capture:
The time a document was created
The last time it was opened
The last time it was changed
Trust only physical evidence—The physical level of magnetic materials is where the 1s and 0s of data are recorded. In system forensics, only this physical level is
real. A forensic specialist should consider everything else untrustworthy.
Search throughout a device—Forensic specialists must search at the bit level across a wide range of areas inside a computer, including:
Email and temporary files in the operating system and in databases
Swap files that hold data temporarily, logical file structures, and slack and free space on the hard drive
Software settings and script files that perform preset activities
Web browser data caches, bookmarks and history, and session logs that record patterns of usage
Present the evidence well—Forensic examiners must present computer evidence in a logical, compelling, and persuasive manner. The evidence should be solid enough that a defense counsel cannot rebut it. A forensic specialist must create a step-by-step reconstruction of actions, with documented dates and times. The specialist’s testimony must explain simply and clearly what a suspect did or did not do.

Avoid changing evidence

Determine when evidence was created

Trust only physical evidence

Search throughout a device

Present evidence well

Expert Reports
Formal documents that detail experts’ findings
Considerations include:

Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Expert reports
An expert report is a formal document that details the expert’s findings. Considerations include:
The format of the report—You should list all items, documents, and evidence considered along with the details of any tests you performed, analysis done, and your conclusion. You should list your entire curriculum vitae (CV) in an appendix.
Thoroughness—In most jurisdictions, if it is not in your report, you are not allowed to testify about it at trial. Be thorough.
Back up everything you say—The opposing counsel may have his or her own expert who will testify to different conclusions. It is good to have at least three well-respected references to support any important claims you make.

7/2/2017
11

Format of the report

Thoroughness

Back up everything you say

How to Set Up a Forensic Lab

Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

7/2/2017
12

Identify functions to be performed

Define activities and estimate workload

Determine necessary equipment and software

Determine physical space requirements

Plan for security

Equipment
Computers
Server should have RAID 1 at a minimum
Hard drives and storage
USB, SCSI, etc.
Legacy and state-of-the-art

Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Different types of organizations have different budgets.
The lab will require different types of computers to facilitate multiple types of analysis.
The storage requirements for a lab depend on the volume of cases.
The lab also needs to be stocked to handle current technologies as well as legacy technologies.
7/2/2017
13

Equipment (Cont.)
Peripherals
Networking equipment
Cables, adapters, and converters
Write blockers
Tools

Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

7/2/2017
14

Security
Network and electronic security
Lab network should not be attached to the Internet
Includes physical security
Access to the lab
Ways of securing evidence

Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

7/2/2017
15

American Society of Crime Laboratory Directors (ASCLD)
Provides guidelines for:
Managing a forensics lab
Acquiring crime lab and forensic lab certification
A lab must meet about 400 criteria to achieve accreditation
TEMPEST

Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

7/2/2017
16

Forensics Software Tools
EnCase
Forensic Toolkit (FTK)
OSForensics
Helix
Kali Linux
AnaDisk disk analysis tool
CopyQM Plus disk duplication software
The Sleuth Kit
Disk Investigator

Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
EnCase
EnCase is a widely used forensic toolkit. EnCase:
Allows the examiner to connect an Ethernet cable or null modem cable to a suspect machine and to view the data on that machine.
Prevents the examiner from making any accidental changes to the suspect machine.
 
Forensic Toolkit (FTK)
The Forensic Toolkit (FTK) is another widely used forensic analysis tool that is popular with law enforcement. FTK:
Is particularly useful at cracking passwords.
Provides tools to search and analyze the Windows Registry. The Windows Registry is where Windows stores all information regarding any programs installed, including viruses, worms, Trojan horses, hidden programs, and spyware.
Has a robust set of tools for examining email.
Allows for distributed processing. Processing and analysis can be distributed on up to three computers, allowing all three computers to process the analysis in parallel, significantly speeding up the forensic process.
Has an Explicit Image Detection add-on that automatically detects pornographic images. This is very useful in cases involving allegations of child pornography.
 
OSForensics
Full product is $899, which is a fraction of the cost of many other tools.
Very easy to use.
Will do most of what Encase and FTK will do, but lacks a few of those products’ specialized features. For example, OSForensics does not have a Known File Filter, as does FTK.
Helix
Helix is a customized Linux Live CD used for computer forensics. Basically, you boot the suspect system into Linux using the Helix CDs and then use the tools provided with Helix to perform your analysis. Helix is full of features but it has not become as popular as FTK and EnCase.
 
Kali Linux
Kali Linux (formerly BackTrack) is a Linux Live CD that you use to boot a system and then use the tools. Kali Linux is a free Linux distribution. It is not used just for forensics and has a wide number of general security and hacking tools. It is probably the most widely used collection of security tools available.
 
AnaDisk
AnaDisk turns a PC into a sophisticated disk analysis tool. It scans for anomalies that identify odd formats, extra tracks, and extra sectors. It can be used to uncover sophisticated data-hiding techniques.
 
CopyQM Plus
CopyQM Plus essentially turns a PC into a disk duplicator. In a single pass, it formats, copies, and verifies a disk. This capability is useful for system forensics specialists who need to preconfigure CDs for specific uses and duplicate them.
 
The Sleuth Kit
The Sleuth Kit is a collection of command-line tools that are available as a free download. This tool set is not as rich or as easy to use as EnCase, FTK, or OSForensics, but can be a good option for a budget-conscious agency. There are options to search for a given file or to search for only deleted versions of a file, which is useful when you know the specific file you are searching for. However, it is not a good option for a general search.
 
Disk Investigator
This is a free utility that comes as a graphical user interface for use with Windows operating systems. It is not a full-featured product but it is easy to use. When you first launch the utility, it presents you with a cluster-by-cluster view of your hard drive in hexadecimal. From the View menu, you can view directories or the root. The Tools menu allows you to search for a specific file or to recover deleted files.
 

EnCase Case File

Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

7/2/2017
(c) ITT Educational Services, Inc.
18

EnCase View Pane

Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

7/2/2017
(c) ITT Educational Services, Inc.
19

EnCase View Search

Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

7/2/2017
(c) ITT Educational Services, Inc.
20

FTK Features

Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

7/2/2017
(c) ITT Educational Services, Inc.
21

FTK Analysis

Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

7/2/2017
(c) ITT Educational Services, Inc.
22

Certifications

Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
PC hardware: This can be obtained in a basic hardware course at a college or via the CompTIA A+ certification.
Basic networking: Most computer science-related degrees include a course in basic networking. Students might consider the CompTIA Network+ or the Cisco Certified Network Associate (CCNA) certifications.

PC hardware

CompTIA A+

Basic networking

CompTIA Network+ or the Cisco Certified Network Associate (CCNA)

Certifications

Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Security: You must have a general knowledge of security. This can be best demonstrated with the CompTIA Security+ certification and/or the (ISC)2 CISSP certification.
The Security+ is an excellent entry-level security certification. The CISSP is the most popular upper-level security certification.
Hacking: You need to know what the hackers know. One of the most widely known certifications for this area of study is the EC-Council Certified Ethical Hacker.

Security

CompTIA Security+ and/or (ISC)2 CISSP certification

Hacking

EC-Council Certified Ethical Hacker

Forensics-Specific Certifications

Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
OSForensics has a certification test that covers a few basics of forensic methodology, but
focuses on the use of the OSForensics tool. This certification does not have specific educational
requirements.

EnCase Certified Examiner Certification

AccessData Certified Examiner

OSForensics

(ISC)2 Certified Cyber Forensics Professional (CCFP)

Forensics-Specific Certifications

Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

EC-Council Certified Hacking Forensic Investigator (CHFI)

High Tech Crime Network certifications

SANS Global Information Assurance Certification (GIAC) certifications

Summary
Forensic lab set-up
Methodologies and approaches used in forensic investigations
Evidence-handling tasks
Common forensic software programs
Documentation of methodologies and findings

Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.